Filtering intrusion detection system events on a single host

Inactive Publication Date: 2009-11-05
MULVAL TECH
View PDF13 Cites 9 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Benefits of technology

[0011]In view of the foregoing, an embodiment herein provides a method and a program storage device readable by computer, tangibly embodying a program of instructions executable by the computer to perform a method to determine consequences of a privilege escalation alert from Snort, the method comprising the steps of obtaining privilege escalation alert from Snort; and analyzing the privilege escalation alert information to determine port targeted, using appropriate tools (such as netstat) to determine the program affected by the privilege escalation alert; identifying if the affected program identified can be circumvented, the user affected by said privilege escalation alert; and transitive effects of the privilege escalation alert. The privilege escalation alert is ignored if said affected program cannot be circumvented. The privilege escalation can be ignored if it is determined that the particular network packet does not have the ability to attack the program. Determining the program affected by the privilege escalation comprises of determining process identifier of process of the program and determining identifying information including process identifier of process of the program. Determining if the affected program identified can be circumvented comprises of verifying vulnerability status of the affected program using external tools (Qualys, eEye Retina scanner, IBM ISS scanner) and v

Problems solved by technology

A recurring weakness of intrusion detection systems is their high false-positive rate.
It is quite common that intrusion detection systems output tens of thousands and hundreds of alerts; many of these alerts are false positives.
Snort alerts do not provide information about the program being targeted.
For example, sendmail SMTP server is considered extremely risky based on the history of problems.
But it is not possible to identify the risk in the attempted escalation by looking at the snort alert because the alert does not provide any information regarding the program.
Also, Snort alerts do not provide information on whether a program can indeed be circumvented on reception of an alert.
Current IDS systems only provide information on which port is being targeted and hence is not possible to distinguish between two different attempts, where one attempt goes to a vulnerable server and another goes to an invulnerable server.
Furthermore, Snort alerts do not provide information on the user account under which a program is running based on an alert.
But, Snort does not provide information about the user account that is being targeted.
Furthermore, Snort alerts do not provide information on transitive effects of the alerts.
The Snort alert does not provide information that it is possible to take control of the administrative account LocalSystem indirectly because of the existing path from NetworkService to LocalSystem.
Hence it is not possible to incorporate information like current background scans and attempted escalations into the framework to analyze current risk profile.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Filtering intrusion detection system events on a single host
  • Filtering intrusion detection system events on a single host
  • Filtering intrusion detection system events on a single host

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0017]The embodiments herein and the various features and advantageous details thereof are explained more fully with reference to the non-limiting embodiments that are illustrated in the accompanying drawings and detailed in the following description. Descriptions of well-known components and processing techniques are omitted so as to not unnecessarily obscure the embodiments herein. The examples used herein are intended merely to facilitate an understanding of ways in which the embodiments herein may be practiced and to further enable those of skill in the art to practice the embodiments herein. Accordingly, the examples should not be construed as limiting the scope of the embodiments herein.

[0018]The embodiments herein achieve a method to determine consequences based on privilege escalation alerts provided by intrusion detection systems like Snort. Referring now to the drawings, and more particularly to FIGS. 1 through 3, where similar reference characters denote corresponding fea...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

Embodiments disclosed herein describe a method to determine consequences of a privilege escalation alert from an intrusion detection system, the method comprising the steps of obtaining privilege escalation alert from the intrusion detection system and analyzing said privilege escalation alert information. The analysis further comprises of identifying the program affected by said privilege escalation alert and determining if it can be circumvented. The users affected by said privilege escalation alert and the transitive effects of said privilege escalation alert are identified.

Description

BACKGROUND[0001]1. Technical Field[0002]The embodiments herein generally relate to network management, and, more particularly, to determining the effects of a privilege escalation alert and identifying appropriate response measures.[0003]2. Description of the Related Art[0004]Snort is widely used, open-source software that monitors network packets and identifies attempted privilege escalations on a computer network or on a single host running an exemplary Operating System (Windows XP / Visyta / 2000,2003, Red Hat Linux, Solaris, HP-UX, etc.). Snort detection system identifies that an attempt is made to circumvent a program that takes input from network by listening on a particular port. Snort provides information about the source of the attempt, and the targeted program port and host identification. There are multiple intrusion detection systems available in the market that have above property. They include ISS Intrusion Product, Snort, and other network and host-based intrusion detecti...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06F12/14
CPCG06F21/55H04L63/1433H04L63/1416
Inventor GOVINDAVAJHALA, SUDHAKAR
Owner MULVAL TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products